iOS Web Service Access

Monkton, Inc.

Rebar itself allows for Web Services to be accessed via API Endpoints within the Rebar Hub. We have added the ability to call Web Services directly from apps itself, in a secured manner you can use to validate users and their credentials.

When a user logs into an app built with Rebar, they are issued a set of Rebar Bearer Tokens (RBT) that are stored within the app. Each request made by the app secured by Rebar via HTTPS is then signed with the RBT and passed as headers for the the server to authenticate the user and context. (These can be embedded in your web service calls with the RebarUtil.instance.signedRebarHeaders convenience method).

Going directly to the web service will avoid the overhead of an extra hop from the Rebar Hub, increasing performance of the app secured with Rebar.

Web Service Token Guidance

We have provided this documentation here that discusses generating Web Service Bearer Tokens (WSBT) for consumption by apps

Checklist for Web Service Access

Token Generation Checklist

  • Identify how you would like to generate tokens

    Your web service will need to be able to generate an initial token for the user of the web service. Your Token Generation Service must be able to call the Rebar Token Validation Service

  • Generate Tokens for Users

    Once your Token Generation Service has invoked the Rebar Token Validation Service and obtained a valid user, the service shall generate tokens and assign a TTL to the token

  • Securely store tokens in the app

    If writing a bespoke method to sign, store and retrieve the tokens using Rebar's secure RebarSettingController.default.setSecureSetting and RebarSettingController.default.getSecureSetting methods. If you are going to use Rebar's built in methods to use the settings, invoke the RebarUtil.default.setWebServiceApiKeys methods described below.

  • Sign the Requests

    When invoking your web service, the Rebar RBT signed headers must be present in the request, as well as the apps signed token headers. Use the RebarSettingController.default.getSecureSetting to retrieve your tokens if you are performing signing yourself or the RebarUtil.default.signedHeadersForWebServiceApi method to automatically manage signing

  • Refresh Tokens

    As your tokens expire, the web service shall be able to refresh the tokens with the Rebar Token Validation Service at any time. The Rebar RBT are sent with each request to your web service, the headers can be forwarded to the Rebar Token Validation Service and validation can be performed. As above, you will need to securely store the refreshed tokens.

Calling your Web Service Token Generator Service

To invoke your Web Service and receive your bearer tokens, you will need to embed the RBT signed headers with the RebarUtil.instance.signedRebarHeaders method. This will enable your backend web service to invoke the Rebar Token Validation Service to validate the user is still valid.

To make this request, perform the following (this assumes https://api.mydomain.com/token is your token generation endpoint).

Rebar automatically does this for any connection library using the URLRequest class, but this is an example of how it is done under the hood. If you are using bespoke connection libraries, you must do this yourself.

URLRequest Example

let request: URLRequest = ...

let headers = RebarUtil.default.signedRebarHeaders
for key in headers.keys {
    request.addValue(headers[key]!, forHTTPHeaderField: key)
}

Storing Headers

You can store your WSBT in the RebarUtil.default.setWebServiceApiKeys by invoking:

// Grab the keys we will store
let sharedKey = resultDictionary["authKeyRefId"] as! String
let secretKey = resultDictionary["secretKey"] as! String

// Store these values
RebarUtil.default.setWebServiceApiKeys(service: "sample-app", publicKey: sharedKey, secretKey: secretKey)

In this example, the result from the WSBT has a header value authKeyRefId and secretKey, we then store them using the RebarUtil.default.setWebServiceApiKeys method. From here, we can then use those WSBT tokens to sign headers.

Leveraging Headers and Making Requests

When you are ready to make your request to the server, you will want to invoke the RebarUtil.default.signedHeadersForWebServiceApi method. This generates the series of headers you can add to your HTTPS request to the server. You can find more about this on the iOS and Android pages:

Additionally for all URLRequest classes, in the app-config.json value you must add your Web Service domains. This will automate the signing of the request with the RBT and WSBT headers.

"rebar.webservice.hosts": [
    "sample-dev-api.monkton.io"
]